From 8a6397deff1565acad982f19af5516b489871e6d Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 13 Feb 2010 00:00:00 -0500
Subject: [PATCH] postfix-2.8-20100213

---
 postfix/HISTORY                               |   6 +
 postfix/README_FILES/ADDRESS_REWRITING_README |   8 +-
 postfix/README_FILES/DATABASE_README          |   3 +-
 postfix/README_FILES/SASL_README              |  88 ++++++++-------
 postfix/WISHLIST                              |   4 +-
 postfix/html/ADDRESS_REWRITING_README.html    |   8 +-
 postfix/html/DATABASE_README.html             |   2 +-
 postfix/html/SASL_README.html                 | 104 ++++++++++--------
 postfix/html/bounce.8.html                    |   3 +-
 postfix/html/defer.8.html                     |   3 +-
 postfix/html/postconf.5.html                  |  18 +--
 postfix/html/smtpd.8.html                     |   4 +-
 postfix/html/trace.8.html                     |   3 +-
 postfix/man/man5/postconf.5                   |  16 ++-
 postfix/man/man8/bounce.8                     |   3 +-
 postfix/man/man8/smtpd.8                      |   6 +-
 postfix/proto/ADDRESS_REWRITING_README.html   |   8 +-
 postfix/proto/DATABASE_README.html            |   2 +-
 postfix/proto/SASL_README.html                | 104 ++++++++++--------
 postfix/proto/postconf.proto                  |  18 +--
 postfix/src/bounce/bounce.c                   |   3 +-
 postfix/src/global/mail_version.h             |   2 +-
 postfix/src/local/bounce_workaround.c         |   9 +-
 postfix/src/smtpd/smtpd.c                     |   6 +-
 postfix/src/util/dict_open.c                  |   2 -
 25 files changed, 238 insertions(+), 195 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index b4d0af9c3..c703d0d1b 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -15723,3 +15723,9 @@ Apologies for any names omitted.
 	reuses the workaround that was implemented to report a
 	Delivered-To: loop. Files: local/file.c, local/command.c,
 	local/recipient.c, local/bounce_workaround.c.
+
+20100209
+
+	The tcp_table(5) interface is now part of the stable release.
+	The last protocol change was in Postfix 2.1. File:
+	util/dict_open.c.
diff --git a/postfix/README_FILES/ADDRESS_REWRITING_README b/postfix/README_FILES/ADDRESS_REWRITING_README
index 63786eb89..ceae94d8d 100644
--- a/postfix/README_FILES/ADDRESS_REWRITING_README
+++ b/postfix/README_FILES/ADDRESS_REWRITING_README
@@ -366,7 +366,7 @@ This feature is available in Postfix version 2.1 and later.
 Example:
 
     /etc/postfix/master.cf:
-        :10026      inet  n       -       n       -       -       smtpd
+        127.0.0.1:10026    inet  n      -      n      -      -     smtpd
             -o receive_override_options=no_address_mappings
 
 Note: do not specify whitespace around the "=" here.
@@ -439,7 +439,7 @@ file. This feature is available in Postfix version 2.1 and later.
 Example:
 
     /etc/postfix/master.cf:
-        :10026      inet  n       -       n       -       -       smtpd
+        127.0.0.1:10026    inet  n      -      n      -      -     smtpd
             -o receive_override_options=no_address_mappings
 
 Note: do not specify whitespace around the "=" here.
@@ -475,7 +475,7 @@ settings in the master.cf file. This feature is available in Postfix version
 Example:
 
     /etc/postfix/master.cf:
-        :10026      inet  n       -       n       -       -       smtpd
+        127.0.0.1:10026    inet  n      -      n      -      -     smtpd
             -o receive_override_options=no_address_mappings
 
 Note: do not specify whitespace around the "=" here.
@@ -520,7 +520,7 @@ This feature is available in Postfix version 2.1 and later.
 Example:
 
     /etc/postfix/master.cf:
-        :10026      inet  n       -       n       -       -       smtpd
+        127.0.0.1:10026    inet  n      -      n      -      -     smtpd
             -o receive_override_options=no_address_mappings
 
 Note: do not specify whitespace around the "=" here.
diff --git a/postfix/README_FILES/DATABASE_README b/postfix/README_FILES/DATABASE_README
index 284f391e5..46655f1b3 100644
--- a/postfix/README_FILES/DATABASE_README
+++ b/postfix/README_FILES/DATABASE_README
@@ -248,8 +248,7 @@ To find out what database types your Postfix system supports, use the "ppooss
         Access information through a TCP/IP server. The protocol is described
         in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
         specifies a symbolic hostname or a numeric IP address, and "port"
-        specifies a symbolic service name or a numeric port number. This
-        protocol is not available in the stable Postfix release.
+        specifies a symbolic service name or a numeric port number.
     uunniixx (read-only)
         A limited way to query the UNIX authentication database. The following
         tables are implemented:
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index cfa810dce..27de01c40 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -17,12 +17,12 @@ to remote destinations, or only to destinations that the server itself is
 responsible for. Usually, SMTP servers allow mail to remote destinations when
 the client's IP address is in the "same network" as the server's IP address.
 
-Sometimes an SMTP client needs "same network" privileges when it connects from
-elsewhere. To address this problem, Postfix supports SASL authentication (RFC
-4954, formerly RFC 2554). With this a remote SMTP client can authenticate to
-the Postfix SMTP server, and the Postfix SMTP client can authenticate to a
-remote SMTP server. Once a client is authenticated, a server can give it "same
-network" privileges.
+SMTP clients outside the SMTP server's network need a different way to get
+"same network" privileges. To address this need, Postfix supports SASL
+authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client
+can authenticate to the Postfix SMTP server, and the Postfix SMTP client can
+authenticate to a remote SMTP server. Once a client is authenticated, a server
+can give it "same network" privileges.
 
 Postfix does not implement SASL itself, but instead uses existing
 implementations as building blocks. This means that some SASL-related
@@ -101,10 +101,10 @@ These commands are available only with Postfix version 2.3 and later.
 
 CCoonnffiigguurriinngg DDoovveeccoott SSAASSLL
 
-Dovecot is a POP/IMAP server that must be configured to authenticate POP/IMAP
-clients. When the Postfix SMTP server uses Dovecot SASL, it also reuses this
-configuration. Consult the Dovecot documentation for how to configure and
-operate the Dovecot authentication server.
+Dovecot is a POP/IMAP server that has its own configuration to authenticate
+POP/IMAP clients. When the Postfix SMTP server uses Dovecot SASL, it reuses
+parts of this configuration. Consult the Dovecot documentation for how to
+configure and operate the Dovecot authentication server.
 
 PPoossttffiixx ttoo DDoovveeccoott SSAASSLL ccoommmmuunniiccaattiioonn
 
@@ -141,9 +141,9 @@ Postfix SMTP server" to turn on and use SASL in the Postfix SMTP server.
 
 CCoonnffiigguurriinngg CCyyrruuss SSAASSLL
 
-The Cyrus SASL framework was supports a wide variety of applications. Different
-applications may require different configurations. As a consequence each
-application may have its own configuration file.
+The Cyrus SASL framework supports a wide variety of applications (POP, IMAP,
+SMTP, etc.). Different applications may require different configurations. As a
+consequence each application may have its own configuration file.
 
 The first step configuring Cyrus SASL is to determine name and location of a
 configuration file that describes how the Postfix SMTP server will use the SASL
@@ -256,8 +256,8 @@ its password verification service:
 
 Additionally the saslauthd server itself must be configured. It must be told
 which authentication backend to turn to for password verification. The backend
-is choosen as a command line option when saslauthd is started and will be shown
-in the following examples.
+is selected with a saslauthd command-line option and will be shown in the
+following examples.
 
     NNoottee
 
@@ -335,8 +335,8 @@ shows the response when authentication is successful:
     -debug packages.
 
 Specify an additional "-s smtp" if saslauthd was configured to contact the PAM
-authentication framework and an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx" if
-saslauthd establishes the UNIX-domain socket in a non-default location.
+authentication framework, and specify an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx"
+if saslauthd establishes the UNIX-domain socket in a non-default location.
 
 If authentication succeeds, proceed with the section "Enabling SASL
 authentication and authorization in the Postfix SMTP server".
@@ -347,14 +347,15 @@ Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's
 capabilities. Currently Cyrus SASL sources provide three authentication
 plugins.
 
-    sasldb
-        Accounts are stored stored in a Cyrus SASL Berkeley DB database
-
-    sql
-        Accounts are stored in a SQL database
-
-    ldapdb
-        Accounts are stored stored in an LDAP database
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |PPlluuggiinn|DDeessccrriippttiioonn                                                    |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |sasldb|Accounts are stored stored in a Cyrus SASL Berkeley DB database|
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |sql   |Accounts are stored in a SQL database                          |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |ldapdb|Accounts are stored stored in an LDAP database                 |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 
     IImmppoorrttaanntt
 
@@ -425,11 +426,12 @@ requires that SASL client passwords are stored as plaintext.
 
     TTiipp
 
-    If you must store encrypted passwords, see section "Using saslauthd with
-    PAM", and configure PAM to look up the encrypted passwords with, for
-    example, the pam_mysql module. You will not be able to use any of the
-    methods that require access to plaintext passwords, such as the shared-
-    secret methods CRAM-MD5 and DIGEST-MD5.
+    If you must store encrypted passwords, you cannot use the sql auxprop
+    plugin. Instead, see section "Using saslauthd with PAM", and configure PAM
+    to look up the encrypted passwords with, for example, the pam_mysql module.
+    You will not be able to use any of the methods that require access to
+    plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
+    MD5.
 
 The following example configures libsasl to use the sql plugin and connects it
 to a PostgreSQL server:
@@ -514,12 +516,12 @@ plaintext.
 
     TTiipp
 
-    If you must store encrypted passwords, you can use "saslauthd -a ldap" to
-    query the LDAP database directly, with appropriate configuration in
-    saslauthd.conf. This may be documented in a later version of this document.
-    You will not be able to use any of the methods that require access to
-    plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
-    MD5.
+    If you must store encrypted passwords, you cannot use the ldapdb auxprop
+    plugin. Instead, you can use "saslauthd -a ldap" to query the LDAP database
+    directly, with appropriate configuration in saslauthd.conf. This may be
+    documented in a later version of this document. You will not be able to use
+    any of the methods that require access to plaintext passwords, such as the
+    shared-secret methods CRAM-MD5 and DIGEST-MD5.
 
 The ldapdb plugin implements proxy authorization. This means that the ldapdb
 plugin uses its own username and password to authenticate with the LDAP server,
@@ -659,7 +661,7 @@ SASL socket:
 EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
 
 Regardless of the SASL implementation type, enabling SMTP authentication in the
-Postfix SMTP server always requires seting the smtpd_sasl_auth_enable option:
+Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:
 
     /etc/postfix/main.cf:
         smtpd_sasl_auth_enable = yes
@@ -1105,12 +1107,18 @@ mechanisms are not allowed (nor is any anonymous mechanism):
     /etc/postfix/main.cf:
         smtp_sasl_security_options = noplaintext, noanonymous
 
-This default policy leads to authentication failures if the remote server only
-offers plaintext authentication mechanisms. In such cases the SMTP client will
-log the following error message:
+This default policy, which allows no plaintext passwords, leads to
+authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
+such cases the SMTP client will log the following error message:
 
     SASL authentication failure: No worthy mechs found
 
+    NNoottee
+
+    This same error message will also be logged when the libplain.so or
+    liblogin.so modules are not installed in the /usr/lib/sasl2 directory.
+
 The less secure approach is to lower the security standards and permit
 plaintext authentication mechanisms:
 
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index e5d402ce5..bb3e2d6e0 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -2,8 +2,6 @@ Wish list:
 
 	Remove this file from the stable release.
 
-	instead of ipc_idle, reduce ipc_ttl.
-
 	Add smtpd_sender_login_maps to proxy_read_maps. What other 
 	parameters are worthy of being whitelisted for proxy access?
 	Is there a way to automate this decision?
@@ -24,7 +22,7 @@ Wish list:
 	the result exceeds the limit.
 
 	Should the postscreen save permanent white/black list lookup
-	results int the temporary cache, and query the temporary
+	results to the temporary cache, and query the temporary
 	cache first? Skipping white/black list lookups will speed
 	up the handling of "good" clients without a permanent
 	whitelist entry.  Of course, this means that updates to the
diff --git a/postfix/html/ADDRESS_REWRITING_README.html b/postfix/html/ADDRESS_REWRITING_README.html
index e934bf310..015db2ef5 100644
--- a/postfix/html/ADDRESS_REWRITING_README.html
+++ b/postfix/html/ADDRESS_REWRITING_README.html
@@ -602,7 +602,7 @@ in the <a href="master.5.html">master.cf</a> file.  This feature is available in
 <blockquote>
 <pre>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
 </pre>
 </blockquote>
@@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
 </pre>
 </blockquote>
@@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
 </pre>
 </blockquote>
@@ -810,7 +810,7 @@ in the <a href="master.5.html">master.cf</a> file.  This feature is available in
 <blockquote>
 <pre>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
 </pre>
 </blockquote>
diff --git a/postfix/html/DATABASE_README.html b/postfix/html/DATABASE_README.html
index 5d85c8bee..918ca7b86 100644
--- a/postfix/html/DATABASE_README.html
+++ b/postfix/html/DATABASE_README.html
@@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
 described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port"
 where "host" specifies a symbolic hostname or a numeric IP address,
 and "port" specifies a symbolic service name or a numeric port
-number. This protocol is not available in the stable Postfix release.
+number.
 </dd>
 
 <dt> <b>unix</b> (read-only) </dt>
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index 454107e82..d55fb0031 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -32,8 +32,8 @@ the server itself is responsible for.  Usually, SMTP servers allow
 mail to remote destinations when the client's IP address is in the
 "same network" as the server's IP address.  </p>
 
-<p> Sometimes an SMTP client needs "same network" privileges when
-it connects from elsewhere.  To address this problem, Postfix
+<p> SMTP clients outside the SMTP server's network need a different
+way to get "same network" privileges.  To address this need, Postfix
 supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554).  With
 this a remote SMTP client can authenticate to the Postfix SMTP
 server, and the Postfix SMTP client can authenticate to a remote
@@ -176,10 +176,10 @@ later. </p>
 
 <h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
 
-<p> Dovecot is a POP/IMAP server that must be configured to
+<p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
-Dovecot SASL, it also reuses this configuration.  Consult the <a
-href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+Dovecot SASL, it reuses parts of this configuration.  Consult the
+<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
 lines 11-13 limit read+write permissions to user and group
 <code>postfix</code> only. </p>
 
-<p> Proceed with the section "<a href="#server_sasl_enable"
-title="Enabling SASL authentication and configuring authorization
-in the Postfix SMTP server">Enabling SASL authentication and
-authorization in the Postfix SMTP server</a>" to turn on and use
-SASL in the Postfix SMTP server.  </p>
+<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
+SASL authentication and authorization in the Postfix SMTP server</a>"
+to turn on and use SASL in the Postfix SMTP server.  </p>
 
 <h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
 
-<p> The Cyrus SASL framework was supports a wide variety of
-applications.  Different applications may require different
+<p> The Cyrus SASL framework supports a wide variety of applications
+(POP, IMAP, SMTP, etc.).  Different applications may require different
 configurations. As a consequence each application may have its own
 configuration file.  </p>
 
@@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
 
 <p> Additionally the <code>saslauthd</code> server itself must be
 configured. It must be told which authentication backend to turn
-to for password verification. The backend is choosen as a command
-line option when <code>saslauthd</code> is started and will be shown
-in the following examples. </p>
+to for password verification. The backend is selected with a
+<code>saslauthd</code> command-line option and will be shown in the
+following examples. </p>
 
 <blockquote>
 
@@ -561,14 +559,15 @@ when authentication is successful: </p>
 
 <p> Sometimes the <code>testsaslauthd</code> program is not distributed
 with a the Cyrus SASL main package.  In that case, it may be
-distributed with -devel, -dev or -debug packages. </p>
+distributed with <code>-devel</code>, <code>-dev</code> or
+<code>-debug</code> packages. </p>
 
 </blockquote>
 
 <p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
-was configured to contact the PAM authentication framework and an
-additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
-<code>saslauthd</code> establishes the UNIX-domain socket in a
+was configured to contact the PAM authentication framework, and
+specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
+if <code>saslauthd</code> establishes the UNIX-domain socket in a
 non-default location. </p>
 
 <p> If authentication succeeds, proceed with the section "<a
@@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
 
 <blockquote>
 
-<dl>
+<table border="1">
 
-<dt><a href="#auxprop_sasldb">sasldb</a></dt>
+<tr> <th>Plugin </th> <th>Description </th> </tr>
 
-<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
-database </p> </dd>
+<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
+are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
 
-<dt><a href="#auxprop_sql">sql</a></dt>
+<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
+stored in a SQL database </td> </tr>
 
-<dd> <p> Accounts are stored in a SQL database </p> </dd>
+<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
+are stored stored in an LDAP database </td> </tr>
 
-<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
-
-<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
-
-</dl>
+</table>
 
 </blockquote>
 
@@ -718,12 +715,13 @@ stored as plaintext. </p>
 
 <strong>Tip</strong>
 
-<p> If you must store encrypted passwords, see section "<a
-href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
-PAM to look up the encrypted passwords with, for example, the
-<code>pam_mysql</code> module.  You will not be able to use any of
-the methods that require access to plaintext passwords, such as the
-shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
+<p> If you must store encrypted passwords, you cannot use the sql
+auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
+saslauthd with PAM</a>", and configure PAM to look up the encrypted
+passwords with, for example, the <code>pam_mysql</code> module.
+You will not be able to use any of the methods that require access
+to plaintext passwords, such as the shared-secret methods CRAM-MD5
+and DIGEST-MD5.  </p>
 
 </blockquote>
 
@@ -896,12 +894,13 @@ stored as plaintext. </p>
 
 <strong>Tip</strong>
 
-<p> If you must store encrypted passwords, you can use "<code>saslauthd
--a ldap</code>" to query the LDAP database directly, with appropriate
-configuration in <code>saslauthd.conf</code>. This may be documented
-in a later version of this document.  You will not be able to use
-any of the methods that require access to plaintext passwords, such
-as the shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
+<p> If you must store encrypted passwords, you cannot use the ldapdb
+auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
+to query the LDAP database directly, with appropriate configuration
+in <code>saslauthd.conf</code>. This may be documented in a later
+version of this document.  You will not be able to use any of the
+methods that require access to plaintext passwords, such as the
+shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
 
 </blockquote>
 
@@ -1123,7 +1122,7 @@ server runs chrooted. </p>
 in the Postfix SMTP server</a></h4>
 
 <p> Regardless of the SASL implementation type, enabling SMTP
-authentication in the Postfix SMTP server always requires seting
+authentication in the Postfix SMTP server always requires setting
 the <code><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a></code> option: </p>
 
 <blockquote>
@@ -1775,10 +1774,11 @@ mechanism): </p>
 </pre>
 </blockquote>
 
-<p> This default policy leads to authentication failures if the
-remote server only offers plaintext authentication mechanisms.  In
-such cases the SMTP client will log the following error message:
-</p>
+<p> This default policy, which allows no plaintext passwords, leads
+to authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "<code>AUTH
+PLAIN LOGIN</code>").  In such cases the SMTP client will log the
+following error message: </p>
 
 <blockquote>
 <pre>
@@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
 </pre>
 </blockquote>
 
+<blockquote>
+
+<strong>Note</strong>
+
+<p> This same error message will also be logged when the
+<code>libplain.so</code> or <code>liblogin.so</code> modules are
+not installed in the <code>/usr/lib/sasl2</code> directory. </p>
+
+</blockquote>
+
 <p> The less secure approach is to lower the security standards and
 permit plaintext authentication mechanisms: </p>
 
diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html
index 3a6e49ab2..4896b1f11 100644
--- a/postfix/html/bounce.8.html
+++ b/postfix/html/bounce.8.html
@@ -45,10 +45,11 @@ BOUNCE(8)                                                            BOUNCE(8)
 <b>STANDARDS</b>
        <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
        <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
        <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
diff --git a/postfix/html/defer.8.html b/postfix/html/defer.8.html
index 3a6e49ab2..4896b1f11 100644
--- a/postfix/html/defer.8.html
+++ b/postfix/html/defer.8.html
@@ -45,10 +45,11 @@ BOUNCE(8)                                                            BOUNCE(8)
 <b>STANDARDS</b>
        <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
        <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
        <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index bcc7eca5d..bf10f6f58 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -274,19 +274,18 @@ This feature is available in Postfix 2.1 and later.
 </DD>
 
 <DT><b><a name="address_verify_poll_count">address_verify_poll_count</a>
-(default: see "postconf -d" output)</b></DT><DD>
+(default: ${stress?1}${stress:3})</b></DT><DD>
 
 <p>
 How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion
 of an address verification request in progress.
 </p>
 
-<p>
-The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three
-times under non-overload conditions, and only once when under
-overload.  With Postfix version 2.6 and earlier, the SMTP server
-always polls the <a href="verify.8.html">verify(8)</a> service up to three times.
-</p>
+<p> By default, the Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service
+up to three times under non-overload conditions, and only once when
+under overload.  With Postfix version 2.6 and earlier, the SMTP
+server always polls the <a href="verify.8.html">verify(8)</a> service up to three times by
+default.  </p>
 
 <p>
 Specify 1 to implement a crude form of greylisting, that is, always
@@ -294,10 +293,13 @@ defer the first delivery request for a new address.
 </p>
 
 <p>
-Example:
+Examples:
 </p>
 
 <pre>
+# Postfix &le; 2.6 default
+<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 3
+# Poor man's greylisting
 <a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1
 </pre>
 
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 746389669..1e08cc9bc 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -345,7 +345,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix version 2.1 and 2.2:
 
-       <b>smtpd_sasl_application_name (smtpd)</b>
+       <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
               The application name that the Postfix  SMTP  server
               uses for SASL server initialization.
 
@@ -992,7 +992,7 @@ SMTPD(8)                                                              SMTPD(8)
        and operate the Postfix sender/recipient address verifica-
        tion service.
 
-       <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (see 'postconf -d' output)</b>
+       <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (${stress?1}${stress:3})</b>
               How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a>  service  for
               the  completion  of an address verification request
               in progress.
diff --git a/postfix/html/trace.8.html b/postfix/html/trace.8.html
index 3a6e49ab2..4896b1f11 100644
--- a/postfix/html/trace.8.html
+++ b/postfix/html/trace.8.html
@@ -45,10 +45,11 @@ BOUNCE(8)                                                            BOUNCE(8)
 <b>STANDARDS</b>
        <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
        <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
        <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
        <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index d43365561..811b82f92 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -157,23 +157,27 @@ be refreshed.
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 .PP
 This feature is available in Postfix 2.1 and later.
-.SH address_verify_poll_count (default: see "postconf -d" output)
+.SH address_verify_poll_count (default: ${stress?1}${stress:3})
 How many times to query the \fBverify\fR(8) service for the completion
 of an address verification request in progress.
 .PP
-The Postfix SMTP server polls the \fBverify\fR(8) service up to three
-times under non-overload conditions, and only once when under
-overload.  With Postfix version 2.6 and earlier, the SMTP server
-always polls the \fBverify\fR(8) service up to three times.
+By default, the Postfix SMTP server polls the \fBverify\fR(8) service
+up to three times under non-overload conditions, and only once when
+under overload.  With Postfix version 2.6 and earlier, the SMTP
+server always polls the \fBverify\fR(8) service up to three times by
+default.
 .PP
 Specify 1 to implement a crude form of greylisting, that is, always
 defer the first delivery request for a new address.
 .PP
-Example:
+Examples:
 .PP
 .nf
 .na
 .ft C
+# Postfix <= 2.6 default
+address_verify_poll_count = 3
+# Poor man's greylisting
 address_verify_poll_count = 1
 .fi
 .ad
diff --git a/postfix/man/man8/bounce.8 b/postfix/man/man8/bounce.8
index 4c1489f55..41f5183d4 100644
--- a/postfix/man/man8/bounce.8
+++ b/postfix/man/man8/bounce.8
@@ -43,10 +43,11 @@ themselves, and that depend on retry logic in their own client.
 .nf
 RFC 822 (ARPA Internet Text Messages)
 RFC 2045 (Format of Internet Message Bodies)
-RFC 2822 (ARPA Internet Text Messages)
+RFC 2822 (Internet Message Format)
 RFC 3462 (Delivery Status Notifications)
 RFC 3464 (Delivery Status Notifications)
 RFC 3834 (Auto-Submitted: message header)
+RFC 5322 (Internet Message Format)
 .SH DIAGNOSTICS
 .ad
 .fi
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 9c812e944..ec5ba6abc 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -384,8 +384,8 @@ File with the Postfix SMTP server RSA private key in PEM format.
 .IP "\fBsmtpd_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP server logging of TLS activity.
 .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
-The minimum TLS cipher grade that the Postfix SMTP server
-will use with mandatory TLS encryption.
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory TLS encryption.
 .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 Additional list of ciphers or cipher types to exclude from the
 SMTP server cipher list at mandatory TLS security levels.
@@ -794,7 +794,7 @@ verification probes is maintained by the \fBverify\fR(8) server.
 See the file ADDRESS_VERIFICATION_README for information
 about how to configure and operate the Postfix sender/recipient
 address verification service.
-.IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
+.IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
 How many times to query the \fBverify\fR(8) service for the completion
 of an address verification request in progress.
 .IP "\fBaddress_verify_poll_delay (3s)\fR"
diff --git a/postfix/proto/ADDRESS_REWRITING_README.html b/postfix/proto/ADDRESS_REWRITING_README.html
index 94612cc16..b3796f3d0 100644
--- a/postfix/proto/ADDRESS_REWRITING_README.html
+++ b/postfix/proto/ADDRESS_REWRITING_README.html
@@ -602,7 +602,7 @@ in the master.cf file.  This feature is available in Postfix version
 <blockquote>
 <pre>
 /etc/postfix/master.cf:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o receive_override_options=no_address_mappings
 </pre>
 </blockquote>
@@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
 <blockquote>
 <pre>
 /etc/postfix/master.cf:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o receive_override_options=no_address_mappings
 </pre>
 </blockquote>
@@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
 <blockquote>
 <pre>
 /etc/postfix/master.cf:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o receive_override_options=no_address_mappings
 </pre>
 </blockquote>
@@ -810,7 +810,7 @@ in the master.cf file.  This feature is available in Postfix version
 <blockquote>
 <pre>
 /etc/postfix/master.cf:
-    :10026      inet  n       -       n       -       -       smtpd
+    127.0.0.1:10026    inet  n      -      n      -      -     smtpd
         -o receive_override_options=no_address_mappings
 </pre>
 </blockquote>
diff --git a/postfix/proto/DATABASE_README.html b/postfix/proto/DATABASE_README.html
index b9ffa3a52..5e5f03bec 100644
--- a/postfix/proto/DATABASE_README.html
+++ b/postfix/proto/DATABASE_README.html
@@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
 described in tcp_table(5). The lookup table name is "tcp:host:port"
 where "host" specifies a symbolic hostname or a numeric IP address,
 and "port" specifies a symbolic service name or a numeric port
-number. This protocol is not available in the stable Postfix release.
+number.
 </dd>
 
 <dt> <b>unix</b> (read-only) </dt>
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 25efe1d74..1920f03cf 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -32,8 +32,8 @@ the server itself is responsible for.  Usually, SMTP servers allow
 mail to remote destinations when the client's IP address is in the
 "same network" as the server's IP address.  </p>
 
-<p> Sometimes an SMTP client needs "same network" privileges when
-it connects from elsewhere.  To address this problem, Postfix
+<p> SMTP clients outside the SMTP server's network need a different
+way to get "same network" privileges.  To address this need, Postfix
 supports SASL authentication (RFC 4954, formerly RFC 2554).  With
 this a remote SMTP client can authenticate to the Postfix SMTP
 server, and the Postfix SMTP client can authenticate to a remote
@@ -176,10 +176,10 @@ later. </p>
 
 <h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
 
-<p> Dovecot is a POP/IMAP server that must be configured to
+<p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
-Dovecot SASL, it also reuses this configuration.  Consult the <a
-href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+Dovecot SASL, it reuses parts of this configuration.  Consult the
+<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
 lines 11-13 limit read+write permissions to user and group
 <code>postfix</code> only. </p>
 
-<p> Proceed with the section "<a href="#server_sasl_enable"
-title="Enabling SASL authentication and configuring authorization
-in the Postfix SMTP server">Enabling SASL authentication and
-authorization in the Postfix SMTP server</a>" to turn on and use
-SASL in the Postfix SMTP server.  </p>
+<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
+SASL authentication and authorization in the Postfix SMTP server</a>"
+to turn on and use SASL in the Postfix SMTP server.  </p>
 
 <h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
 
-<p> The Cyrus SASL framework was supports a wide variety of
-applications.  Different applications may require different
+<p> The Cyrus SASL framework supports a wide variety of applications
+(POP, IMAP, SMTP, etc.).  Different applications may require different
 configurations. As a consequence each application may have its own
 configuration file.  </p>
 
@@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
 
 <p> Additionally the <code>saslauthd</code> server itself must be
 configured. It must be told which authentication backend to turn
-to for password verification. The backend is choosen as a command
-line option when <code>saslauthd</code> is started and will be shown
-in the following examples. </p>
+to for password verification. The backend is selected with a
+<code>saslauthd</code> command-line option and will be shown in the
+following examples. </p>
 
 <blockquote>
 
@@ -561,14 +559,15 @@ when authentication is successful: </p>
 
 <p> Sometimes the <code>testsaslauthd</code> program is not distributed
 with a the Cyrus SASL main package.  In that case, it may be
-distributed with -devel, -dev or -debug packages. </p>
+distributed with <code>-devel</code>, <code>-dev</code> or
+<code>-debug</code> packages. </p>
 
 </blockquote>
 
 <p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
-was configured to contact the PAM authentication framework and an
-additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
-<code>saslauthd</code> establishes the UNIX-domain socket in a
+was configured to contact the PAM authentication framework, and
+specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
+if <code>saslauthd</code> establishes the UNIX-domain socket in a
 non-default location. </p>
 
 <p> If authentication succeeds, proceed with the section "<a
@@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
 
 <blockquote>
 
-<dl>
+<table border="1">
 
-<dt><a href="#auxprop_sasldb">sasldb</a></dt>
+<tr> <th>Plugin </th> <th>Description </th> </tr>
 
-<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
-database </p> </dd>
+<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
+are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
 
-<dt><a href="#auxprop_sql">sql</a></dt>
+<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
+stored in a SQL database </td> </tr>
 
-<dd> <p> Accounts are stored in a SQL database </p> </dd>
+<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
+are stored stored in an LDAP database </td> </tr>
 
-<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
-
-<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
-
-</dl>
+</table>
 
 </blockquote>
 
@@ -718,12 +715,13 @@ stored as plaintext. </p>
 
 <strong>Tip</strong>
 
-<p> If you must store encrypted passwords, see section "<a
-href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
-PAM to look up the encrypted passwords with, for example, the
-<code>pam_mysql</code> module.  You will not be able to use any of
-the methods that require access to plaintext passwords, such as the
-shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
+<p> If you must store encrypted passwords, you cannot use the sql
+auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
+saslauthd with PAM</a>", and configure PAM to look up the encrypted
+passwords with, for example, the <code>pam_mysql</code> module.
+You will not be able to use any of the methods that require access
+to plaintext passwords, such as the shared-secret methods CRAM-MD5
+and DIGEST-MD5.  </p>
 
 </blockquote>
 
@@ -896,12 +894,13 @@ stored as plaintext. </p>
 
 <strong>Tip</strong>
 
-<p> If you must store encrypted passwords, you can use "<code>saslauthd
--a ldap</code>" to query the LDAP database directly, with appropriate
-configuration in <code>saslauthd.conf</code>. This may be documented
-in a later version of this document.  You will not be able to use
-any of the methods that require access to plaintext passwords, such
-as the shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
+<p> If you must store encrypted passwords, you cannot use the ldapdb
+auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
+to query the LDAP database directly, with appropriate configuration
+in <code>saslauthd.conf</code>. This may be documented in a later
+version of this document.  You will not be able to use any of the
+methods that require access to plaintext passwords, such as the
+shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
 
 </blockquote>
 
@@ -1123,7 +1122,7 @@ server runs chrooted. </p>
 in the Postfix SMTP server</a></h4>
 
 <p> Regardless of the SASL implementation type, enabling SMTP
-authentication in the Postfix SMTP server always requires seting
+authentication in the Postfix SMTP server always requires setting
 the <code>smtpd_sasl_auth_enable</code> option: </p>
 
 <blockquote>
@@ -1775,10 +1774,11 @@ mechanism): </p>
 </pre>
 </blockquote>
 
-<p> This default policy leads to authentication failures if the
-remote server only offers plaintext authentication mechanisms.  In
-such cases the SMTP client will log the following error message:
-</p>
+<p> This default policy, which allows no plaintext passwords, leads
+to authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "<code>AUTH
+PLAIN LOGIN</code>").  In such cases the SMTP client will log the
+following error message: </p>
 
 <blockquote>
 <pre>
@@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
 </pre>
 </blockquote>
 
+<blockquote>
+
+<strong>Note</strong>
+
+<p> This same error message will also be logged when the
+<code>libplain.so</code> or <code>liblogin.so</code> modules are
+not installed in the <code>/usr/lib/sasl2</code> directory. </p>
+
+</blockquote>
+
 <p> The less secure approach is to lower the security standards and
 permit plaintext authentication mechanisms: </p>
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index e4fcd4853..10677e9d1 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -301,19 +301,18 @@ seconds. </p>
 
 <p> This feature is available in Postfix 2.7. </p>
 
-%PARAM address_verify_poll_count see "postconf -d" output
+%PARAM address_verify_poll_count ${stress?1}${stress:3}
 
 <p>
 How many times to query the verify(8) service for the completion
 of an address verification request in progress.
 </p>
 
-<p>
-The Postfix SMTP server polls the verify(8) service up to three
-times under non-overload conditions, and only once when under
-overload.  With Postfix version 2.6 and earlier, the SMTP server
-always polls the verify(8) service up to three times.
-</p>
+<p> By default, the Postfix SMTP server polls the verify(8) service
+up to three times under non-overload conditions, and only once when
+under overload.  With Postfix version 2.6 and earlier, the SMTP
+server always polls the verify(8) service up to three times by
+default.  </p>
 
 <p>
 Specify 1 to implement a crude form of greylisting, that is, always
@@ -321,10 +320,13 @@ defer the first delivery request for a new address.
 </p>
 
 <p>
-Example:
+Examples:
 </p>
 
 <pre>
+# Postfix &le; 2.6 default
+address_verify_poll_count = 3
+# Poor man's greylisting
 address_verify_poll_count = 1
 </pre>
 
diff --git a/postfix/src/bounce/bounce.c b/postfix/src/bounce/bounce.c
index 81d09942f..3c52e7aea 100644
--- a/postfix/src/bounce/bounce.c
+++ b/postfix/src/bounce/bounce.c
@@ -35,10 +35,11 @@
 /* STANDARDS
 /*	RFC 822 (ARPA Internet Text Messages)
 /*	RFC 2045 (Format of Internet Message Bodies)
-/*	RFC 2822 (ARPA Internet Text Messages)
+/*	RFC 2822 (Internet Message Format)
 /*	RFC 3462 (Delivery Status Notifications)
 /*	RFC 3464 (Delivery Status Notifications)
 /*	RFC 3834 (Auto-Submitted: message header)
+/*	RFC 5322 (Internet Message Format)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* CONFIGURATION PARAMETERS
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index ff112740f..c2e976e10 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100208"
+#define MAIL_RELEASE_DATE	"20100213"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/local/bounce_workaround.c b/postfix/src/local/bounce_workaround.c
index b09df7d41..13af3434e 100644
--- a/postfix/src/local/bounce_workaround.c
+++ b/postfix/src/local/bounce_workaround.c
@@ -19,14 +19,15 @@
 /*
 /*	Sender address override is a problem only when delivering
 /*	to command or file, or when breaking a Delivered-To loop.
-/*	The local(8) delivery agent saves other recipients to a new
-/*	queue file, together with the replacement envelope sender
-/*	address; delivery then proceeds from that new queue file.
+/*	The local(8) delivery agent saves normal recipients to a
+/*	new queue file, together with the replacement envelope
+/*	sender address; delivery then proceeds from that new queue
+/*	file, and no workaround is needed.
 /*
 /*	The workaround sends one non-delivery notification for each
 /*	failed delivery that has a replacement sender address.  The
 /*	notifications are not aggregated, unlike notifications to
-/*	non-replaced sender addresses). In practice, a local alias
+/*	non-replaced sender addresses. In practice, a local alias
 /*	rarely has more than one file or command destination (if
 /*	only because soft error handling is problematic).
 /*
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index abec2da99..307cdd406 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -352,8 +352,8 @@
 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
 /*	Enable additional Postfix SMTP server logging of TLS activity.
 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
-/*	The minimum TLS cipher grade that the Postfix SMTP server
-/*	will use with mandatory TLS encryption.
+/*	The minimum TLS cipher grade that the Postfix SMTP server will
+/*	use with mandatory TLS encryption.
 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 /*	Additional list of ciphers or cipher types to exclude from the
 /*	SMTP server cipher list at mandatory TLS security levels.
@@ -744,7 +744,7 @@
 /*	See the file ADDRESS_VERIFICATION_README for information
 /*	about how to configure and operate the Postfix sender/recipient
 /*	address verification service.
-/* .IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
+/* .IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
 /*	How many times to query the \fBverify\fR(8) service for the completion
 /*	of an address verification request in progress.
 /* .IP "\fBaddress_verify_poll_delay (3s)\fR"
diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c
index 04df52b65..b807bc2b0 100644
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@@ -223,9 +223,7 @@ static const DICT_OPEN_INFO dict_open_info[] = {
     DICT_TYPE_ENVIRON, dict_env_open,
     DICT_TYPE_HT, dict_ht_open,
     DICT_TYPE_UNIX, dict_unix_open,
-#ifdef SNAPSHOT
     DICT_TYPE_TCP, dict_tcp_open,
-#endif
 #ifdef HAS_SDBM
     DICT_TYPE_SDBM, dict_sdbm_open,
 #endif